{
  "$type": "site.standard.document",
  "canonicalUrl": "https://johnnyreilly.com/posts/arm-templates-security-role-assignments",
  "description": "ARM templates can help define Azure Role-Based Access Control. By creating role assignments, users can grant Managed Identities access to resources.",
  "path": "/posts/arm-templates-security-role-assignments",
  "publishedAt": "2021-02-08T00:00:00.000Z",
  "site": "at://did:plc:yy3apqjlms24kso7ahn7lbmb/site.standard.publication/3mova7c4nho2b",
  "tags": [
    "azure"
  ],
  "textContent": "This post is about Azure's role assignments and ARM templates. Role assignments can be thought of as \"permissions for Azure\".\n\n\n\nIf you're deploying to Azure, there's a good chance you're using ARM templates to do so. Once you've got past \"Hello World\", you'll probably find yourself in a situation when you're deploying multiple types of resource to make your solution. For instance, you may be deploying an App Service alongside Key Vault and Storage.\n\nOne of the hardest things when it comes to deploying software and having it work, is permissions. Without adequate permissions configured, the most beautiful code can do _nothing_. Incidentally, this is a good thing. We're deploying to the web; many people are there, not all good. As a different kind of web-head once said:\n\nAzure has great power and suggests you use it wisely.\n\n> Access management for cloud resources is critical for any organization that uses the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.\n>\n> Designating groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.\n\nThis is good advice. With that in mind, how can we ensure that the different resources we're deploying to Azure can talk to one another?\n\nRole (up for your) assignments\n\nThe answer is roles. There's a number of roles that exist in Azure that can be assigned to users, groups, service principals and managed identities. In our own case we're using managed identity for our resources. What we can do is use \"role assignments\" to give our managed identity access to given resources. Arturo Lucatero gives a great short explanation of this:\n\n<iframe width=\"560\" height=\"315\" src=\"https://www.youtube.com/embed/Dzhm-garKBM\" frameBorder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowFullScreen=\"\"></iframe>\n\nWhilst this explanation is delightfully simple, the actual implementation when it comes to ARM templates is a little more involved. Because now it's time to talk \"magic\" GUIDs. Consider the following truncated ARM template, which gives our managed identity (and hence our App Service which uses this identity) access to Key Vault and Storage:\n\nLet's take a look at these three variables:\n\nThe three variables above contain the subscription resource ids for the roles Storage Blob Data Contributor, Key Vault Secrets Officer and Key Vault Crypto Officer. The first question on your mind is likely: \"what is ba92f5b4-2d11-453d-a403-e96b0029c9fe and where does it come from?\" Great question! Well, each of these GUIDs represents a built-in role in Azure RBAC. The ba92f5b4-2d11-453d-a403-e96b0029c9fe represents the Storage Blob Data Contributor role.\n\nHow can I look these up? Well, there's two ways; there's an article which documents them here or you could crack open the Cloud Shell and look up a role by GUID like so:\n\nOr by name like so:\n\nAs you can see, the Actions section of the output above (and in even more detail on the linked article) provides information about what the different roles can do. So if you're looking to enable one Azure resource to talk to another, you should be able to refer to these to identify a role that you might want to use.\n\nCreating a role assignment\n\nSo now we understand how you identify the roles in question, let's take the final leap and look at assigning those roles to our managed identity. For each role assignment, you'll need a roleAssignments resource defined that looks like this:\n\nLet's go through the above, significant property by significant property (it's also worth checking the official reference here):\n\n- type \\- the type of role assignment we want to create, for a key vault it's \"Microsoft.KeyVault/vaults/providers/roleAssignments\", for storage it's \"Microsoft.Storage/storageAccounts/providers/roleAssignments\". The pattern is that it's the resource type, followed by \"/providers/roleAssignments\".\n- dependsOn \\- before we can create a role assignment, we need the service principal we desire to permission (in our case a managed identity) to exist\n- properties.roleDefinitionId \\- the role that we're assigning, provided as an id. So for this example it's the keyVaultCryptoOfficer variable, which was earlier defined as [subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]. (Note the use of the GUID)\n- properties.principalId \\- the id of the principal we're adding permissions for. In our case this is a managed identity (a type of service principal).\n- properties.scope \\- we're modifying another resource; our key vault isn't defined in this ARM template and we want to specify the resource we're granting permissions to.\n- properties.principalType \\- the type of principal that we're creating an assignment for; in our this is \"ServicePrincipal\" \\- our managed identity.\n\nThere is an alternate approach that you can use where the type is \"Microsoft.Authorization/roleAssignments\". Whilst this also works, it displayed errors in the Azure tooling for VS Code. As such, we've opted not to use that approach in our ARM templates.\n\nMany thanks to the awesome John McCormick who wrangled permissions with me until we bent Azure RBAC to our will.",
  "title": "Azure RBAC: role assignments and ARM templates"
}